Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Görtz Institute for IT Security Ruhr University Bochum
Subset Sum Subset Sum Problem � 0 , 1 Given: ( a 1 , . . . , a n , t, ω ) , where a i , t ∈ Z 2 n and ω ∈ � 2 Find: e ∈ { 0 , 1 } n : � e i a i = t mod 2 n and ✇t ( e ) = ωn • Random instance: a i ∈ R Z 2 n • Cryptanalytic applications (Decoding, LPN, SIS, DLP) • a := ( a 1 , . . . , a n ) Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 2/18
A memoryless Meet-in-the-Middle n x : 0 4 = + e : n/ 2 n y : 0 4 n 2 search for collision n n f ( x ) := � a , x � mod 2 g ( y ) := t − � a , y � mod 2 2 2 n � a , x � = t − � a , y � mod 2 collision: 2 n t = � a , x + y � mod 2 2 Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 3/18
Folklore Algorithm 1. search for collision g f collision ( x , y ): � a , x + y � mod 2 n T = 2 0 . 75 n t $ 2a. n 2 2. repeat ? = t 2b. yes no out: x + y Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 4/18
The Representation Technique x n/ 4 f : x 0 + n/ 4 y 0 = n/ 2 e g : e y Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18
The Representation Technique x 2 x 1 n/ 4 f : x + n/ 4 y = y 2 n/ 2 e g : e many representations y 1 Goal: increase domain and #useful collisions Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18
The memoryless BCJ Algorithm n/ 4 n/ 4 increased size ⇒ increased modulus more collisions many good � − 1 � #good Colls T = · T C collisions #all Colls = 2 0 . 72 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 6/18
Folklore vs. BCJ 0 . 75 0.72 0 . 5 log T Folklore n BCJ 0 . 25 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 7/18
Discrete Logarithms (low weight) DLP Given: group G with | G | ≈ 2 n generated by g , β ∈ G and ω ∈ � 0 , 1 � 2 Find: α = ❞❧♦❣ g β satisfying g α = β and wt ( α ) = ωn � (MitM) �� n • Time lower bound ωn • ω = 1 2 usual case • Pollard Rho ( T = 2 0 . 5 n , M = poly) Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 8/18
low-weight DLP Landscape 0 . 75 0.72 0 . 5 log T n Folklore 0 . 25 BCJ Pollard Lowerbound 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 9/18
Use of Carry Bits search for collision f 2 ( y ) := βg − y f 1 ( x ) := g x collision: g x + y = β = g α ωn x 2 + ωn y 2 = ωn e Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18
Use of Carry Bits search for collision f 2 ( y ) := βg − y f 1 ( x ) := g x collision: g x + y = β = g α ωn 2 + ε x x + y computed + over Z (mod | G | ) ωn y 2 + ε = α ωn Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18
Increase the Weight wt ( x ) = wt ( y ) = ωn 2 + ε = φ ( ω ) n 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 φ ( ω ) 0 ω/ 2 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 11/18
The new Algorithm search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domainsize φ ( ω ) n y ⇒ more Representations � − 1 � #good Colls T = · T C #all Colls = 2 ( H ( ω ) − H ( φ ) / 2) n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 12/18
Updated low-weight DLP Landscape 0 . 75 0.72 0 . 5 log T n Folklore BCJ 0 . 25 New Alg. Pollard Lowerbound 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 13/18
A new Time-Memory-Tradeoff search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domain size φ ( ω ) n y ⇒ more representations � − 1 � #good Colls T = · T C #all Colls = 2 ( H ( ω ) − H ( φ ) / 2) n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18
A new Time-Memory-Tradeoff search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domain size φ ( ω ) n y ⇒ more representations �� #good Colls � − 1 � − 1 � #good Colls M = T = · T C #all Colls #all Colls H ( ω ) n = 2 2 Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18
Achieving the Square-Root Bound 0 . 5 time / memory exponent BCJ time BCJ memory 0 . 25 New time New memory 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 15/18
Back to Subset Sum search for 1. collision g f collision ( x , y ): � a , x + y � mod 2 n $ t 2a. repeat ? = t 2b. yes out: x + y no Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18
Back to Subset Sum h 1 ( s ) search for 1. s collision s g f collision ( x , y ): � a , x + y � mod 2 n v t v Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18
Back to Subset Sum h 1 ( s ) h 2 ( s ) search for 1. search for s s collision collision g 1 g 2 f 1 f 2 � a , x 1 + y 1 � mod 2 n � a , x 2 + y 2 � mod 2 n collision: v t v ’ 0 v t − v ′ search for 2. collision coll. ⇒ � a , x 1 + y 1 + x 2 + y 2 � = t mod 2 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18
Nested Rhos � − 1 � #good Colls T = · T C #all Colls = 2 0 . 65 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 17/18
Results Folklore Group Subset Sum BCJ (low-weight) DLP Subset Sum Improved Algorithms improved poly memory Nested Collision Search 2 0 . 65 n , poly memory reduced MitM memory Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 18/18
Recommend
More recommend
![Introduction to Data Science: Neural [ 1 , 2 , , p ] g x w h m g h g f w old M](https://c.sambuz.com/1003023/introduction-to-data-science-neural-s.jpg)
